Full Report
Thanks to IoT and other developments, we’re having to review more and more non-HTTP protocols these days. While the hardware is interesting to look at, one can often find vulnerabilities at a network layer too. With many of the non-HTTP-only proxies having fallen out of maintenance or requiring a significant amount of custom code to be written for each unique protocol encountered, we decided to build a tool to make such work easier.
Analysis Summary
# Tool/Technique: Mallet
## Overview
Mallet is a framework designed for creating arbitrary proxies for arbitrary network protocols, particularly focusing on non-HTTP protocols where existing proxies are often outdated or require extensive custom coding. It facilitates network layer inspection and manipulation by allowing users to build custom proxy pipelines based on the Netty framework.
## Technical Details
- Type: Tool
- Platform: Java-based (relies on the Netty framework)
- Capabilities: Building custom proxies, intercepting and modifying data streams for non-HTTP protocols, leveraging existing Netty ChannelHandlers.
- First Seen: Presented on April 13th, 2018.
## MITRE ATT&CK Mapping
The primary function of Mallet relates to network interception for analysis or potential manipulation, which aligns generally with network reconnaissance or command and control mechanisms, depending on how it is ultimately leveraged.
- **TA0043 - C2 Command and Control** (Potential application if used to proxy C2 traffic)
- **T1090 - Proxy**
- T1090.002 - External Proxy (Can be used to funnel traffic through an adversary-controlled point)
- **TA0048 - Inhibit System Recovery** (If used in conjunction with other stages to prevent detection/logging)
- **TA0005 - Defense Evasion** (If used to bypass network segmentation or inspection devices)
## Functionality
### Core Capabilities
- **Proxy Construction:** Functions as a framework to build proxies for virtually any protocol.
- **Netty Integration:** Built on the Netty Framework, allowing for the use of existing Netty `ChannelHandler`, Decoder, and Encoder components.
- **Protocol Handling:** Supports the integration of handlers for specific protocols (e.g., custom handlers or existing implementations like COAP handlers found in external projects).
- **Pipeline Bridging:** Creates a proxy by bridging two `ChannelPipeline` instances using a `ChannelHandler` that copies messages between them.
- **Network Monitoring:** Provides a user interface to visualize connection graphs, review intercepted connections, and inspect individual network events (direction, type, summary).
### Advanced Features
- **Deep Packet Inspection:** Allows for the implementation of custom `ChannelHandler` logic to transform byte streams into high-level Java objects for business logic manipulation.
- **Data Manipulation:** Facilitates modifying incoming (inbound) or outgoing (outbound) data frames (e.g., using `channelRead()` to modify inbound frames or `write()` to modify outbound frames).
- **Protocol Abstraction:** Separates protocol decoding/encoding from business logic implementation, allowing users to reuse existing decoders/encoders easily.
- **Graph Editor:** Provides a graphical environment to configure the sequence of protocol handlers in the `ChannelPipeline`.
## Indicators of Compromise
As Mallet is a legitimate tool created for security testing and development, IOCs are generally absent unless it is discovered being used in an unauthorized context.
- File Hashes: N/A (Tool source code, not specific malware payloads)
- File Names: `mallet-1.0-SNAPSHOT.jar` (Execution artifact)
- Registry Keys: N/A
- Network Indicators: N/A (Traffic analysis is dependent on the protocol being proxied)
- Behavioral Indicators: Execution of Java application leveraging Netty to establish listening sockets or forward TCP streams based on user-defined pipelines.
## Associated Threat Actors
The article does not associate Mallet with any specific threat actor groups. It is presented as a general-purpose tool developed by SensePost for security and analysis work.
## Detection Methods
Detection focuses on identifying the execution of the tool or traffic manipulation patterns characteristic of a custom proxy implementation.
- Signature-based detection: Signatures for the executable JAR file (`mallet-1.0-SNAPSHOT.jar`).
- Behavioral detection: Detection of processes initiating connections where the resulting TCP streams are immediately mirrored or modified based on application logic (a key indicator of an active proxy setup).
- YARA rules: Applicable against the binary/JAR file itself.
## Mitigation Strategies
Mitigation centers on network segmentation, monitoring, and controlling application execution environments.
- Prevention measures: Restrict users from running arbitrary Java applications that establish network redirection services.
- Hardening recommendations: Implement strong host-based controls to prevent unauthorized software execution; use network monitoring to detect internal systems acting as man-in-the-middle proxies for non-standard protocols.
## Related Tools/Techniques
- Netty Framework (The underlying asynchronous event-driven network application framework).
- General Proxy Tools (e.g., Burp Suite, OWASP ZAP, MiTMproxy, though Mallet specializes in arbitrary and non-HTTP protocols).
- COAP protocol implementations (Mentioned as an example of a non-HTTP protocol that can be integrated).